Support #20253
openCeph RGW Users (rgw keystone implicit tenants)
0%
Description
Apologies, I am not 100% sure if this expected behaviour or a bug, Happy to re-write as feature request if needed.
To pre-empt confusion, OpenStack Project = OpenStack Tenant.
With RGW configured with 'rgw keystone implicit tenants = true' and associated keystone options set, we tell RGW to check a Keystone endpoint to manage user access. Thats works well, the user gets created on the first request to RGW and you can check this with 'radosgw-admin user list'.
This shows the RGW users identified by Keystone UUID's (project:project). This is not quite what I was expecting, I had imagined this would be project:user, making way for per user per project permissions etc.
For example, project user 1 (non admin) may wish to create a container that is read only for two user 2 (non admin), they would expect to set associated read-acls to enable this on a per container basis, however in the current situation user 2 actually already has full access as there is no differentiation between the users.
This means that every user inside a tenant gets (in swift terms) 'account level access' which is essentially a project admin.
It seems that to support container level access, the concept of project:user is needed, it also seems reasonable to suggest a configurable option to specify an account level admin role extending this 'rgw keystone accepted roles' (i.e 'swift_proj_owner' role to the 'admin' for each tenant, and a 'swift_proj_user' for normal users.). There may well be a much better way to implement this!
Appreciate any feedback as to whether this is expected behaviour or not, and whether its possible to implement further support.
Updated by Nathan Cutler almost 7 years ago
- Tracker changed from Bug to Support
- Project changed from Ceph to rgw
- Category deleted (
22)
Updated by Ross Martyn almost 7 years ago
This ticket has been resisted at http://tracker.ceph.com/issues/20570 and improved for clarity. please close this duplicate.